|
Message-id: <F31EE7CA-D16C-451B-BD2E-E6F6E3F13802@me.com> Date: Thu, 12 Dec 2013 13:55:22 -0500 From: "Larry W. Cashdollar" <larry0@...com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Command injection in Ruby Gem Webbynode 1.0.5.3 Command injection in Ruby Gem Webbynode 1.0.5.3 Date: 11/11/2014 Author: Larry W. Cashdollar, @_larry0 Download: http://rubygems.org/gems/webbynode Vulnerability Description: The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input before passing it to the shell via %x. Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters. def self.message(message) if self.installed? and !$testing message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "") %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}") end end The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user. Vendor: Notified 11/11/2013 I also submitted a pull request Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.